TLS Bootstrap Attack on Azure Kubernetes Clusters

19.08.2024

 

Cybersecurity researchers have recently uncovered a critical security flaw in Microsoft Azure Kubernetes Services (AKS) that could be exploited by attackers to escalate their privileges and gain access to sensitive credentials within a cluster. If an attacker successfully executes commands within a Pod in an affected AKS cluster, they could potentially download the configuration used to provision the cluster node, extract Transport Layer Security (TLS) bootstrap tokens, and launch a TLS bootstrap attack. This would enable them to access all secrets stored within the cluster, posing a significant security risk.

The vulnerability specifically affects clusters that are configured with “Azure CNI” for the network configuration and “Azure” for the network policy. Google-owned Mandiant, which disclosed the flaw, explained that the attack relies on accessing an obscure component called Azure WireServer. By doing so, the attacker can request a key used to encrypt protected settings values, known as the “wireserver.key.” This key can then be used to decode a provisioning script containing several important secrets, such as the KUBELET_CLIENT_CONTENT, KUBELET_CLIENT_CERT_CONTENT, KUBELET_CA_CRT, and TLS_BOOTSTRAP_TOKEN.

These secrets can be Base64 decoded and written to disk, allowing the attacker to use them with the Kubernetes command-line tool, kubectl, to authenticate to the cluster. While the account used in this process has minimal permissions in recently deployed AKS clusters, it can still list all nodes within the cluster. More concerning is the potential use of the TLS_BOOTSTRAP_TOKEN to perform a TLS bootstrap attack, which could ultimately grant the attacker access to all secrets used by the running workloads within the cluster.

Mandiant emphasized that the attack does not require the Pod to be running as root, which broadens the potential scope of the exploit. They recommended adopting a process of creating restrictive NetworkPolicies that only allow access to necessary services, thereby preventing this entire class of attacks. Ensuring that undocumented services are inaccessible is key to mitigating privilege escalation risks.

This disclosure comes amid the discovery of another high-severity Kubernetes vulnerability (CVE-2024-7646) affecting the ingress-nginx controller. This flaw, highlighted by Kubernetes security platform ARMO, could allow a malicious actor to gain unauthorized access to sensitive cluster resources. The issue arises from improper validation of annotations on Ingress objects, which could be exploited to inject malicious content, potentially leading to command injection and access to the ingress-nginx controller’s credentials.

Moreover, a design flaw in the Kubernetes git-sync project was also uncovered, affecting multiple platforms, including Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), and Linode. The flaw allows for command injection or data exfiltration by exploiting the lack of input sanitization, underscoring the importance of robust defenses against such vulnerabilities. Organizations are advised to audit their git-sync pods to ensure secure configurations and monitor for any suspicious activity.

en_USEnglish